Facilitating packet flow in a communication network implementing load balancing and security operations

US 8,427,956 B1
Filed: 03/06/2006
Issued: 04/23/2013
Est. Priority Date: 03/06/2006
Status: Active Grant

First Claim

Patent Images

1. A method for facilitating packet flow in a communication network, comprising:

receiving at a defender a request message sent from a node;

communicating, from the defender, the request message to a load balancer, the request message having a destination address associated with the load balancer, the load balancer configured to communicate the request packet to a network element server selected from a plurality of network element servers;

receiving, at the defender, a response message from the network element server, the response message comprising a reference to the request message;

determining, at the defender, that the response message has a source address different from the destination address of the request message, the source address identifying the network element server as a source;

in response to determining that the response message has a source address different from the destination address of the request message, determining, at the defender, whether the source address of the response message is included in a list of addresses of approved servers, the list of addresses of approved servers stored at the defender; and

communicating, from the defender, the response message to the node if the source address corresponds to an approved network element server.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Facilitating packet flow in a communication network includes receiving at a defender a request packet sent from a node. The request packet is communicated to a load balancer operable to communicate the request packet to a network element server selected from a plurality of network element servers. The request packet has a destination address associated with the load balancer. A response packet is received from the network element server. The response packet has a tunnel endpoint address. Whether the tunnel endpoint address corresponds to an approved network element server is determined. The response packet is communicated to the node if the tunnel endpoint address corresponds to an approved network element server.

Citations

18 Claims

1. A method for facilitating packet flow in a communication network, comprising:
- receiving at a defender a request message sent from a node;
  
  communicating, from the defender, the request message to a load balancer, the request message having a destination address associated with the load balancer, the load balancer configured to communicate the request packet to a network element server selected from a plurality of network element servers;
  
  receiving, at the defender, a response message from the network element server, the response message comprising a reference to the request message;
  
  determining, at the defender, that the response message has a source address different from the destination address of the request message, the source address identifying the network element server as a source;
  
  in response to determining that the response message has a source address different from the destination address of the request message, determining, at the defender, whether the source address of the response message is included in a list of addresses of approved servers, the list of addresses of approved servers stored at the defender; and
  
  communicating, from the defender, the response message to the node if the source address corresponds to an approved network element server.
- View Dependent Claims (2, 3, 4, 5)
- - 2. The method of claim 1, wherein the plurality of network element servers comprises a plurality of gateway General Packet Radio Services (GPRS) support nodes (GGSNs).
  - 3. The method of claim 1, wherein the node comprises a serving General Packet Radio Services (GPRS) support node (SGSN).
  - 4. The method of claim 1, wherein:
    - the request message comprises a Create Packet Data Protocol (PDP) Context Request message; and
      
      the response message comprises a Create PDP Context Response message.
  - 5. The method of claim 1, further comprising:
    - establishing the list of addresses of approved servers by;
      
      establishing that each network element server corresponding to each address in the list of addresses of approved servers is an approved network element server; and
      
      storing a plurality of network element server addresses in the list of addresses of approved servers, each address of the plurality of network element server addresses corresponding to an approved network element server.

6. A defender configured to facilitate packet flow in a communication network, comprising:
- an interface configured to;
  
  receive a request message sent from a node; and
  
  a non-transitory computer-readable medium comprising logic coupled to the interface, the logic configured to;
  
  communicate the request message to a load balancer, the request message having a destination address associated with the load balancer, the load balancer configured to communicate the request packet to a network element server selected from a plurality of network element servers;
  
  the interface further configured to;
  
  receive a response message from the network element server, the response message comprising a reference to the request message; and
  
  the logic further configured to;
  
  determine that the response message has a source address different from the destination address of the request message, the source address identifying the network element server as a source;
  
  in response to determining that the response message has a source address different from the destination address of the request message, determine whether the source address of the response message is included in a list of addresses of approved servers, the list of addresses of approved servers stored at the defender; and
  
  communicate the response message to the node if the source address corresponds to an approved network element server.
- View Dependent Claims (7, 8, 9, 10, 11)
- - 7. The defender of claim 6, wherein the plurality of network element servers comprises a plurality of gateway General Packet Radio Services (GPRS) support nodes (GGSNs).
  - 8. The defender of claim 6, wherein the node comprises a serving General Packet Radio Services (GPRS) support node (SGSN).
  - 9. The defender of claim 6, wherein:
    - the request message comprises a Create Packet Data Protocol (PDP) Context Request message; and
      
      the response message comprises a Create PDP Context Response message.
  - 10. The defender of claim 6, the logic further operable to:
    - establish the list of addresses of approved servers by;
      
      establishing that each network element server corresponding to each address in the list of addresses of approved servers is an approved network element server; and
      
      storing a plurality of network element server addresses in the list of addresses of approved servers, each address of the plurality of network element server addresses corresponding to an approved network element server.
  - 11. The defender of claim 6, wherein:
    - the plurality of network element servers comprises a plurality of gateway General Packet Radio Services (GPRS) support nodes (GGSNs);
      
      the node comprises a serving General Packet Radio Services (GPRS) support node (SGSN);
      
      the request message comprises a Create Packet Data Protocol (PDP) Context Request message;
      
      the response message comprises a Create PDP Context Response message; and
      
      the logic is further operable to;
      
      establish that each network element server corresponding to each address in the list of addresses of approved servers is an approved network element server; and
      
      store a plurality of network element server addresses in the list of addresses of approved servers, each address of the plurality of network element server addresses corresponding to an approved network element server.

12. At least one non-transitory computer-readable medium storing instructions that, when executed by at least one processor, are configured to:
- receive at a defender a request message sent from a node;
  
  communicate, from the defender, the request message to a load balancer, the request message having a destination address associated with the load balancer, the load balancer comprising a device and logic, the load balancer configured to communicate the request packet to a network element server selected from a plurality of network element servers;
  
  receive, at the defender, a response message from the network element server, the response message comprising a reference to the request message;
  
  determine, at the defender, that the response message has a source address different from the destination address of the request message, the source address identifying the network element server as a source;
  
  in response to determining that the response message has a source address different from the destination address of the request message, determine, at the defender, whether the source address of the response message is included in a list of addresses of approved servers, the list of addresses of approved servers stored at the defender; and
  
  communicate, from the defender, the response message to the node if the source address corresponds to an approved network element server.

13. A system for facilitating packet flow in a communication network, comprising:
- a defender configured to;
  
  receive a request message sent from a node, the request message having a destination address associated with the load balancer; and
  
  a load balancer coupled to the defender, the load balancer configured to;
  
  receive the request message from the defender; and
  
  communicate the request message to a network element server selected from a plurality of network element servers;
  
  the defender further configured to;
  
  receive a response message from the network element server, the response message comprising a reference to the request message;
  
  determine that the response message has a source address different from the destination address of the request message, the source address identifying the network element server as a source;
  
  in response to determining that the response message has a source address different from the destination address of the request message, determine whether the source address is included in a list of addresses of approved servers, the list of addresses of approved servers stored at the defender; and
  
  communicate the response message to the node if the source address corresponds to an approved network element server.
- View Dependent Claims (14, 15, 16, 17, 18)
- - 14. The system of claim 13, further comprising:
    - the plurality of network element servers, the plurality of network element servers comprising a plurality of gateway General Packet Radio Services (GPRS) support nodes (GGSNs).
  - 15. The system of claim 13, further comprising:
    - the node, the node comprising a serving General Packet Radio Services (GPRS) support node (SGSN).
  - 16. The system of claim 13, wherein:
    - the request message comprises a Create Packet Data Protocol (PDP) Context Request message; and
      
      the response message comprises a Create PDP Context Response message.
  - 17. The system of claim 13, the defender further operable to:
    - establish the list of approved servers by;
      
      establishing that each network element server corresponding to each address in the list of addresses of approved servers is an approved network element server; and
      
      storing a plurality of network element server addresses in the list of addresses of approved servers, each address of the plurality of network element server addresses corresponding to an approved network element server.
  - 18. The system of claim 13 further comprising:
    - the plurality of network element servers, the plurality of network element servers comprising a plurality of gateway General Packet Radio Services (GPRS) support nodes (GGSNs);
      
      the node, the node comprising a serving General Packet Radio Services (GPRS) support node (SGSN); and
      
      wherein;
      
      the request message comprises a Create Packet Data Protocol (PDP) Context Request message;
      
      the response message comprises a Create PDP Context Response message; and
      
      the defender is further operable to;
      
      establish the list of addresses of approved servers by;
      
      establishing that each network element server corresponding to each address in the list of addresses of approved servers is an approved network element server; and
      
      storing a plurality of network element server addresses in the list of addresses of approved servers, each address of the plurality of network element server addresses corresponding to an approved network element server.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Original Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Inventors
Thai, Hien T., Gasson, Andrew G., Andriantsiferana, Laurent, Iyer, Jayaraman R., Jadhav, Nishant S., Shatzkarner, Kevin D.
Primary Examiner(s)
Rinehart, Mark
Assistant Examiner(s)
Cheng, Peter

Application Number

US11/369,072
Time in Patent Office

2,605 Days
Field of Search

370/230, 370/401, 370/231, 370/236, 370328- 9, 370/338, 370348- 9
US Class Current

370/236
CPC Class Codes

H04L 63/101   Access control lists [ACL]

H04L 67/1004   Server selection for load b...

H04W 12/088   using filters or firewalls

H04W 76/12   Setup of transport tunnels

Facilitating packet flow in a communication network implementing load balancing and security operations

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

18 Claims

Specification

Solutions

Use Cases

Quick Links

Facilitating packet flow in a communication network implementing load balancing and security operations

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

18 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links